Previous section   Next section

Recipe 3.4 Removing Passwords from a Router Configuration File

3.4.1 Problem

You want to remove sensitive information from a router configuration file.

3.4.2 Solution

The following Perl script removes sensitive information such as passwords and SNMP community strings from configuration files. The script takes the name of the file containing the router's configuration as its only command-line argument.

Here's some example output:

Freebsd% strip.pl Router1-confg
   
version 12.2
service password-encryption
!
hostname Router1
!
aaa new-model
aaa authentication login default local
enable secret <removed>
enable password <removed>
!
username ijbrown password <removed>
username kdooley password <removed>
!
!Lines removed for brevity
!
!
snmp-server community <removed> RO
snmp-server community <removed> RW
!
line con 0
 password <removed>
line aux 0
 password <removed>
line vty 0 4
 password <removed>
 end
Freebsd%

Example 3-1 contains the Perl script.

Example 3-1. strip.pl
#!/usr/local/bin/perl 
#
#       strip.pl   -- a script to remove sensitive information 
#                     from a router configuration file.
#
#
my $configf;
undef $/;
#
$configf = shift(@ARGV);
if (open (CNFG, $configf ) ){
          $config=<CNFG>; 
          close (CNFG);
          $config =~ s/password .*/password <removed>/gi;
          $config =~ s/secret .*/secret <removed>/gi;
          $config =~ s/community [^ ]+/community <removed>/gi;
          print $config;
} else { 
        print STDERR "Failed to open config file \"$configf\"\n";
        }

3.4.3 Discussion

This script strips sensitive information from router configuration files. You can safely store or forward the resulting "stripped" configuration files to others, including vendors, partners, or colleagues. Recipe 3.5 shows how trivial the default password-encryption method is, which highlights why stripping a configuration file like this is so important.

This script should require no modifications to work in most environments. Because the script sends its output to the screen, you will have to direct the standard output into a file if you want to save a copy of the "stripped" configuration file:

Freebsd% strip.pl Router1-confg > /tmp/Router1-stripped

This example runs the script and sends the output to a file called Router1-stripped in the directory /. Of course, you can direct the output of the script to any file you wish.

In earlier recipes, we mentioned that the enable secret password was encrypted using a strong method, MD5, and that no known method of reversing it exists. However, you may still be vulnerable to brute force attacks in which an attacker systematically encrypts likely sequences of letters, numbers, and characters in an attempt to find an encrypted match. Although these types of attacks are time-consuming, there are a number of freely available software packages that offer efficient password cracking capabilities. In short, it is better to be safe than sorry.

You can easily modify the script to strip other sensitive configuration commands (such as TACACS keys, routing keys, etc.) by simply adding more substitution lines. For instance, to strip TACACS keys, add the following line of code near the other lines that begin with $config =~:

$config =~ s/tacacs-server key .*/tacacs-server key <removed>/gi;

3.4.4 See Also

Recipe 3.2; Recipe 3.3; Recipe 3.5


  Previous section   Next section
Top